-
Notifications
You must be signed in to change notification settings - Fork 815
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store MFA (TOTP) secret in aws-vault #386
Comments
Go for it @StevenACoffman |
Although now reading about keyfob, I'm not sure that's a good idea. The whole point of a second factor is "something you have". Switching that to the keychain eliminates the second factor |
Seems pretty equivalent, especially because most people don’t bother to remove the slim profile yubikeys from their laptop usb ports. I could pretty easily have the keyfob TOTP generation process require Mac Touch ID to unlock and that would actually add some real security (biometric) to the process. Would you then be interested in me incorporating that into aws-vault? |
Except that the "AWS secret access key (thing you know)" is stored in the Keychain. If the "thing you know" and "thing you have" are accessed with the same mechanism, this doesn't really meet the 2fa definition |
I already run authy on my mac (and phone), so that always feels like 1.5 MFA |
@mtibben Completely fair to have your own comfort level with security. Everyone has different requirements for stringency. Just to clarify, are you saying I should not bother with adding a touch ID requirement to TOTP generation and then making that a contribution to aws-vault as it would not be accepted? As I said, that would be completely fair of you, even if it seems like that would be an improvement over authy and yubikey to me. |
My thing with AWS vault is that I just always want to be prompted when key material is accessed. Currently for me that is an MFA token. I'd be happy for it to be TouchID that did the prompting. I'd probably be less keen on 2fa support unless it also came with TouchID (and even better with secure enclave support). |
As user, I would feel to be an improvement to use my yubikey instead of typing the keychain password each time. This may not be considered ideal as 2FA but I think it's an improvement for frequent or power users. To make things simple, I view it as ssh keys. The private key is encrypted with my passphrase, which might not be as secure as a Yubikey. So I started using Yubikey for SSH, much faster and easy on a daily basis. PS. I also use aws-vault at least 10-20 times a day 😉 Also, another thought: since |
Using I initialized Optionally its also possible to add a secondary GPG key as well as a backup, in case you dont have the yubikey or lost it. |
For those looking to use Yubikey/Pass setup with touch, these are the steps I did on Mac. 1. Remove existing credentialRun only if you already have it setup before:
2. set in your bash/fish/zsh env
3. Get a new access key from AWS console.Or extract it from keychain, I recommend to rotate it 😛 as a habit. 4. Setup
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I am happily using both aws-vault (which stores my AWS credentials in my mac keychain) and keyfob to store my AWS MFA TOTP secret in my mac keychain, and generate my MFA as needed.
I wrote keyfob in golang, and aws-vault is in golang, so I was curious if you would be open to a pull request adding 2fa support to aws-vault?
This seems equivalent in security to the yubikey PR, but cheaper and possibly more convenient.
The text was updated successfully, but these errors were encountered: